Thursday, September 29, 2011

OS X Lion passwords can be changed by any local user

Any user on the system can modify the passwords of other local accounts

In OSX, user passwords are encrypted and then are stored in files called "shadow files" which are placed in secure locations on the drive. Based on system permissions, the contents of these files can then only be accessed and modified by the user, or by administrators provided they first give appropriate authentication. This means that only the user can change its password, or if needed, then an administrator can do this by first authenticating.

Unfortunately, recent discoveries have shown that in OS X Lion this security structure is not intact, and any user on the system can modify the passwords of other local accounts quite easily. The problem at hand appears to be because of a permissions oversight that allows all users search access to the system's directory services.

Please note: This problem only appears to be a risk if your system is accessed directly by a hacker who has the ability to log in and access the directory services with a tool that can modify the directory services' settings. Setting up a more restrictive environment for accounts on the system should be enough to prevent this latest flaw from being taken advantage of until Apple releases a patch to fix the problem.

Refer here to read more details on CNET.

Tuesday, September 27, 2011

Skype for iPhone may leak Address Book

A vulnerability could see your entire Address Book uploaded to a remote system

A cross-site scripting vulnerability in Skype for iOS has been used to remotely extract the victim device's Address Book. In the proof of concept (PoC) described on the Superevr blog, a piece of JavaScript is inserted in the Full Name field of the attacker's profile.

When a message is received by the victim, the JavaScript runs and initiates a connection to a server, which sends the real payload. That payload instructs the device to upload the entire Address Book file, which can then be read using SQLite-based programs.

The author of the PoC says there's no indication on the device that anything untoward is happening. The issue is said to affect Skype 3.0.1 and earlier, and the PoC was demonstrated on iOS 4.3.5.

The author of the PoC says he reported the issue to Skype in late August, and was told an update would be released early this month. He made a public disclosure this week after the update did not materialise.

The only current mitigations appear to be to ensure that Skype is set to accept messages only from existing contacts, and to be careful to only accept contact requests from people you trust.

Sunday, September 25, 2011

Air traffic system vulnerable to cyber attack

Next-generation global air traffic control system is vulnerable to malicious hacks that could cause catastrophe

An alarm blares in the cockpit mid flight, warning the pilot of an imminent collision. The pilot checks his tracking display, sees an incoming aircraft and sends the plane into a dive. That only takes it into another crowded air lane, however, where it collides with a different plane. Investigators later discover that the pilot was running from a "ghost" - a phantom aircraft created by a hacker intent on wreaking havoc in the skies.

It's a fictional scenario, but US air force analysts warn that it could be played out if hackers exploit security holes in an increasingly common air traffic control technology.

At issue is a technology called Automatic Dependent Surveillance - Broadcast (ADS-B), which the International Civil Aviation Organisation certified for use in 2002. Gradually being deployed worldwide, ADS-B improves upon the radar-based systems that air traffic controllers and pilots rely on to find out the location and velocity of aircraft in their vicinity.

Conventional ground-based radar systems are expensive to run, become less accurate at determining position the further away a plane is, and are slow to calculate an aircraft's speed. Perhaps worst of all, their limited range means they cannot track planes over the ocean.

So instead of bouncing radar signals off aircraft, ADS-B uses GPS signals to continuously broadcast a plane's identity, ground position, altitude and velocity to networks of ground stations and other nearby aircraft. This way, everyone knows where everyone else is.

ADS-B transmits information in unencrypted 112-bit bursts - a measure intended to make the system simple and cheap to implement. It's this that researchers from the US air force's Institute of Technology at Wright-Patterson Air Force Base in Ohio are unhappy with. Donald McCallie, Jonathan Butts and Robert Mills warn that the unencrypted signals could be intercepted and spoofed by hackers, or simply jammed.

The team says the vulnerabilities it has identified "could have disastrous consequences including confusion, aircraft groundings, even plane crashes if exploited by adversaries" (International Journal of Critical Infrastructure Protection, DOI: 10.1016/j.ijcip.2011.06.001).

Thursday, September 22, 2011

PLC's have little or no security!!

Luigi Vulnerabilities of ICS products

Italian researcher Luigi Auriemma has released another set of vulnerability advisories and proof of concept exploit code for a variety of ICS products. He is finding overflows on the proprietary services the vendors are writing. You hear often in ICS, “don’t scan it because it will crash”. This is what he is finding, and he says it is not difficult.

This is not to diminish the finding. Sometimes hard evidence like he is presenting is what is needed rather than a generic warning. It is the same rationale why we are doing Project Basecamp even though “everyone knows that PLC’s have little or no security and are easily compromised”.

Luigi is doing a bit more than scanning. He has built up a toolset that he uses against all products, not just ICS. He also then does a bit more work to find where the crash occurred and write up some proof of concept code.

Here is the list of products with vulnerabilities in what we are calling Luigi II:
  • Azeotech DAQFactory
  • Beckhoff TwinCAT
  • Cogent Datahub
  • Measuresoft SCADAPro
  • Progea Movicon
  • Rockwell Automation RSLogix
Most of the products are free or low cost HMI or engineering workstation products. RSLogix is used to configure the RA line of Logix PLC’s which are widely deployed in the critical infrastructure. Beckhoff is the big EtherCAT vendor, a high performance ICS protocol used primarily in manufacturing and in Europe.

The other vendors are smaller, add-on HMI, visualization and data transfer products that are used in either very small systems or as an addition/accessory to a larger system.

ICS-CERT has bulletins out for all the Luigi II advisories, but at this point they are just relaying the information. That may be all that is warranted for this type of vulnerability. ICS-CERT time might be better spent writing a useful and effective bulletin that is still lacking for the Beresford vulns, or even Stuxnet.

Focusing their expertise on the vulns most likely to impact the US critical infrastructure. Finally, no mention of Luigi Auriemma per ICS-CERT policy of only recognizing researchers who coordinate disclosure through them.

Tuesday, September 20, 2011

Two Live Online CISSP Exam Prep Clinics

Free Online Course Sponsored by University of Fairfax

At no charge, you can attend TWO live online CISSP Exam Prep Clinics taught by a leading (ISC)2 instructor!

Register at: http://www.ufairfax.net/cissp-2011-hlist/
  • CISSP Clinic I: Domains 1 – 4
  • CISSP Clinic II: Domains 5 – 10
Both clinics are available live online and on-demand following the webinar*.

If you’ve been studying for the CISSP exam, you’ll want to attend these TWO live online CISSP Exam Prep Clinics. You’ll discover strategies to increase your chances of success! You’ll learn techniques to help you quickly assess which questions to address first, which to delay answering and how to eliminate the less likely answers.

The Clinics include tips for all 10 domains covered in the exam.

Register today so you pass the CISSP Exam in 2011!
http://www.ufairfax.net/cissp-2011-hlist/

When:
  • Thursday, October 13, 2011, 2 – 3 PM ET
  • Thursday, October 20, 2011, 2 – 3 PM ET
Both clinics are also available on demand following each webinar*. There is No Charge for you to attend! Register now to prepare for your CISSP Exam.

--> http://www.ufairfax.net/cissp-2011-hlist/

Saturday, September 17, 2011

10 Most Costly Cyber Attacks in History

What we have learned from these attacks?

Cyber-attacks aren’t just fuel for poorly made movies or something teenagers do for fun. They are a serious issue with real-world consequences for companies, consumers and nations (and while good web hosting is a undoubtedly a good protective measure, it’s far from an impenetrable defense).

A recent survey by the Ponemon Institute found that 59% of those surveyed had suffered a slew of attacks in the last year, with the average cost to businesses exceeding $500,000 when they added up expenditure, overheads, labor, revenue losses, business disruption and other costs. Of course, that’s just the average outlay.

Here are the most costly cyberattacks ever carried out. These victims wish it had only cost them a paltry half a million dollars.

10. Citigroup

Tremendous amounts of wealth, from thousands of parties, flow through financial giants such as Citigroup on a daily basis. Earlier this year, in 2011, the aforementioned stacks of money and hoards of sensitive customer information provided ample incentive for cyber-hacks to organize an attack.

Over 200,000 customers’ names, contact details, account numbers and other information were compromised in the attack, as the thieves made off with $2.7m from credit card accounts. That’s a bad day at the office.

9. Titan Rain

The public face of international relations between non-warring states is usually one of diplomatic politeness, yet the 2004 discovery by Shawn Carpenter, a Sandia National Laboratories employee, of hacking into US military files brought to light the shadier underbelly of global affairs. “Titan Rain” is the FBI code-name for an extensive series of infiltrations into US military security, companies such as Lockheed and even NASA.

It is believed to have been perpetrated by cells of operatives on behalf of the Chinese government, although it is unknown whether this is actually the case or whether these were simply the actions of rogue hackers. While very difficult to quantify in objective terms, the potential to access and exploit the US government’s most secret information makes this a pretty costly attack in our book, and it is certainly one of the biggest of all time.

8. Heartland Payment Systems

Trusted payments processor Heartland Payment Systems fell victim to a 2008 plot to steal credit and debit card numbers. By secretly infesting the company’s computer network with spyware, the criminal gang responsible were able to steal over 100 million individual card numbers.

However, for one of the key masterminds behind the job, Albert Gonzalez, it was a case of his number being up when a federal jury found him guilty of his crimes and he was sentenced to 20 years in prison. As for Heartland, the episode ended up costing them around $140m. So much for their motto, “The highest standards — The most trusted transactions.”

7. Hannaford Bros

Grocery retailer Hannaford Bros suffered a four-month long breach of their security from the winter of 2007 to the spring of 2008. During this period, over 4.2 million credit and debit card numbers were exposed, along with other sensitive information.

This feat of cyber-criminality was achieved through the installation of malware on store servers, which stands in contrast to the more common tactic of hacking company databases. Experts table the costs incurred at an estimated $252m — more than the value of an average grocery list, to say the least. One of the principal hackers involved was Albert Gonzalez, who had also hacked Heartland Payment Systems as well as taking part in the TJX cyber-attack…

6. TJX

Massachusetts-based retailing company TJX, owner of such well-known chains as TJ Maxx and Marshalls, was taken for a ride by a group of cyber fiends with a fetish for electronics. The gang were able to get their hands on over 45 million credit and debit card numbers, a selection of which they then used to fund a multi-million dollar spending spree from Wal-Mart’s stock of electronics equipment.

Initially estimated at around $25m, the damage from the data-breach ended up costing over $250m in total. Perhaps the zero button on the estimators’ calculator was sticky.

5. Sven Jaschan

We’ve all heard the classic example of “chaos theory”: a butterfly flapping its wings in Brazil can set off a tornado in Texas. Well, for one German teen, a computer made an apt chrysalis for his butterfly.

In 2004, Sven Jaschan unleashed a virus which infected millions of computers around the world, reaching its highest degree of destruction when it comprehensively disabled the Delta Air Lines computer system, causing the cancellation of several transatlantic flights. Jaschan was eventually arrested after a three-month hunt, during which Mircosoft placed a $250,000 bounty on the hacker’s head.

An estimated $500 million worth of damage was generated (although other sources have put the total cost much higher, in the billions of dollars), all starting in the computer of a German college student.

4. Michael Calce

Michael Calce was not the most well-known 15-year-old; “MafiaBoy,” however, was a cyber-superstar. Widely considered approaching genius levels of computer expertise, Calce, aka MafiaBoy, conducted notorious attacks against huge companies with high levels of security. Amongst those attacked were computer manufacturer Dell, media giant CNN, and shopping sites Amazon and Ebay.

Prosecution for the estimated $1.2bn worth of damage caused went pretty smoothly, from Calce’s perspective. He ended up with a sentence of eight months open custody.

3. Sony

In a still unravelling saga, this year’s exposure of over 100 million PlayStation Network and Sony Online Entertainment accounts is forging a new chapter in the history of cyber-attacks. The personal information — including credit and debit card data — of tens of millions of users was stolen by an as yet unknown group of assailants.

Experts predict that the damage may range from $1 to $2bn, making it possibly the costliest cyber-hack ever to have been pulled off. Even worse, dedicated gamers were unable to log on while Sony attempted to deal with the breach, causing some serious tantrums.

2. Epsilon

Estimated at having a potential cost that ranges from $225m to $4bn, the March 2011 hack of e-mail handler Epsilon is another as of yet undetermined candidate for the costliest cyber-heist of all time. The Dallas-based firm provides marketing and email-handling services to organizations as large as Best Buy and JP Morgan Chase.

However, as the stolen information was mostly email addresses, the various possible criminal applications of this information mean that the estimated cost is extremely variable.

1. The Original Logic Bomb

In 1982, with the Cold War still far from thawing, the expansion of computer technology was increasingly finding its way to becoming a major tactical vehicle for the CIA. Without using a missile, bomb or other traditional explosive device, the US managed to blow up a Siberian gas pipeline, creating a monumental and historically unprecedented method of explosion.

The method used, known as a “logic bomb,” involved the insertion of a portion of code into the computer system overseeing the pipeline, causing computational chaos. Other than the obvious material cost to the Russians, this moment in history showed the world a further dimension to the costs that can be unleashed and incurred through the power of cyber-hacking.

Thursday, September 15, 2011

Top 10 Reports for Managing Vulnerabilities

Download free guides

This free guide covers the key aspects of the vulnerability management lifecycle and shows you what reports today's best-in-class organizations are using to reduce risks on their network infrastructure.

Download Here - http://bit.ly/p77R4w

Tuesday, September 13, 2011

Cars can be hacked?

McAfee warns of hacker threat to autos

Cars made smarter with Internet technology are zooming into perilous hacker territory, according to a report released late Tuesday by US computer security giant McAfee.

The first-of-its-kind report, entitled "Caution: Malware Ahead," warned that security is lagging as vehicles are enhanced with embedded chips and sensors for a growing array of purposes.

"As more and more functions get embedded in the digital technology of automobiles, the threat of attack and malicious manipulation increases," said McAfee senior vice president and general manager Stuart McClure.

"It's one thing to have your email or laptop compromised, but having your car hacked could translate to dire risks to your personal safety," he added.

Chips are embedded in almost all parts of cars from airbags, brakes, and power seats to cruise controls, anti-theft gadgets, and communications systems, according to McClure.

Researchers have demonstrated that computers controlling functions in automobiles can be hacked if attackers get into vehicles and, in some cases, from afar.

The actual report can be accessed here: http://mcaf.ee/ldgs2

Sunday, September 11, 2011

ZigBee Architecture Basics

Zigbee Networking Architecture

This training video is intended to explain the ZigBee mesh networking architecture at a high level. It discusses basic topics such as:

What is mesh networking?


Saturday, September 10, 2011

Overview of ZigBee Home Automation and Smart Energy Profiles

Security is a key concern for Zigbee

Ember training curriculum video about Home Automation (HA) and Smart Energy (SE) application profiles.

Explains the basic intentions of these profiles and covers (for each profile):


Friday, September 9, 2011

Threat Management Summit

Free Online Event

An effective and up-to-date threat management solution is crucial as cyber attacks are becoming increasingly sophisticated and pervasive. From next generation firewalls to unified threat management, leading experts from the information security industry will share tools, strategies, and solutions to eliminate threats, minimize risks and reduce costs during this two-day online summit.

WHEN: Wednesday, September 14 – Thursday, September 15, 2011 (All webcasts will be immediately recorded and viewable on demand)

WHERE: Sign up to attend the live interactive webcasts, or view them afterward on demand here: http://www.brighttalk.com/r/Nmv .

PRESENTATIONS INCLUDE:

“Adapt or Die: Threats, Vulnerabilities and Your Networks and Data”
Derek E. Brink, Aberdeen Group; Michael Stute, Global DataGuard; Dwayne Melancon, Tripwire; Gary Golomb, RSA NetWitness

“Cloud Security & Control: A Multi-Layer Approach to Secure Cloud Computing”
John Rowell, CTO, OpSource & Paul Sathis, Director of Cloud Computing, Intel

“War Texting: Weaponizing Machine 2 Machine”
Don Bailey, Security Consultant, iSEC Partners

“Insiders: What Motivates Them and How to Protect Sensitive Data”
Raphael Reich, Director of Product Marketing, Imperva

“Real Security is Dirty”
J.J. Thompson, CEO, Rook Consulting

“How to Ensure Real-Time Threat Detection”
Frost & Sullivan along with ESET Researcher

You can view the full lineup and sign up to attend any or all presentations at http://www.brighttalk.com/r/Nmv . This summit is part of the ongoing series of thought leadership events presented on BrightTALK(TM). I hope you are able to attend.

Thursday, September 8, 2011

Cybercrime hits Aussies for $4.6b a year

More than burglary, assault combined!!

Cybercrime is soaring, already costs Australians more than burglary, and will only increase as more people conduct their daily lives through relatively insecure and easily lost smartphones and other mobile devices, a specialist on cybercrime says.

Marian Merritt, internet safety advocate with computer security company Norton, said a new global study showed 69 per cent of adults around the world experienced cybercrime in their lifetime, much more than previously thought because this type of crime mostly wasn't reported.

"Ten per cent of us have already experienced mobile device related cybercrime. That's cybercrime on our [mobile] phones, tablets and other devices we carry with us as we go about our business," she said.

"It's only going to get bigger because we are all doing more and more with our mobile devices," she said. Cybercrime on mobile devices has produced a new word: smishing, or SMS-based phishing which aims to gain private information.

In some countries, many people go straight to mobile devices for all their computing needs, bypassing the home PC route. More and more, mobile devices are being used for routine financial transactions.

"We are going to walk up to buy coffee and use our mobile device to make that financial transaction, we are going to check our bank balance and we are going to make purchases," she said.

"This is what's coming in the future and we need it to be safe. This is truly a phenomenon we need to take note of." Ms Merritt said part of the problem was that users didn't treat smartphones in the same way they treated their home PC.

"We are all playing little bird-related games on them. We put funny stickers on the back of them. They don't seem like serious devices that need security but boy they really are," she said.

In its fourth global review of cybercrime, Norton surveyed the experiences of 20,000 people in 24 countries including 802 in Australia.

Taking into account actual financial losses and other factors such as time lost, the study puts the global cost at $US388 billion over the last year. That makes cybercrime bigger than the combined global market for marijuana, cocaine and heroin combined.

Symantec estimates that 4.5 million Australians fell victim to cybercrime last year, suffering $1.8 billion in direct financial losses and a further $2.8 billion in time spent resolving the crime. That totals $4.6 billion. On that basis, cybercrime costs Australia more than the traditional crimes of burglary ($2.2 billion) and assault ($1.4 billion).

Norton also found that seven in ten online adults had been a victim of cybercrime in the lifetime, while 8 per cent of Australian adults had experienced cyber crime on their mobile phone.

The most common form of cybercrime relates to computer virus and malware infection (57 per cent of respondents), followed by online credit card fraud (13 per cent) and hacking of social network data (12 per cent). Worryingly, the survey said, most of this occurred in the last year.

Ms Merritt suggests some simple precautions:
  • use security software and keep it up to date (Norton is of course a major vendor).
  • use a password for a mobile device (something more sophisticated than 1234) so it can't be readily used if lost or stolen.
News sourced from Sydney Morning Herald.

Wednesday, September 7, 2011

Social Media: Training Is Key

How we can manage risks of Social Media through Policies?

Frequent face-to-face training on social media policies is a vital component of any risk management effort.
Once an organization develops social media policies designed, in part, to prevent privacy violations, in-person training sessions offer the best way to make certain that policies are followed.

Training sessions should provide real-world examples of inappropriate uses of social media to reinforce the risks involved. In spelling out proper uses of social media for communication, an organization must ensure that employees "understand that posting on Facebook is really no different than talking at the water cooler or sending an e-mail.

Because organisations can use social media for many purposes, It is highly recommended to create a multi-disciplinary team to develop policies. The team should include representatives of the human resources, legal, information technology, marketing, risk management, public relations and compliance departments.

The other key recommendations are:
  • Document current and intended social media use. For example, if a human resources department intends to use social media for recruiting and hiring purposes, that will require the creation of policies about allowable uses of information gathered.
  • Perform a risk assessment. A key component of this effort, is to conduct a workshop with upper management and key stakeholders to discuss all risks identified so they can be mitigated.
  • Expand current policies to include social media and implement safeguards. For example, organizations may want to expand their information security policy to explain the potential for downloading malware by clicking on a malicious Facebook page. In addition to adding new details to existing policies, organizations may also want to create a freestanding social media policy to highlight key issues.
  • Provide social media training. It's important to provide frequent updates with reminders about security incidents in the news.
  • Monitor social media channels. By tracking mentions of their organization on social media, executives can use the information to adjust their marketing message, offer personalized replies to negative comments and capitalize on positive comments.

Monday, September 5, 2011

The Seven-Step Information Gathering Process

Basic guide to perform information gathering including some useful tools

Footprinting is about information gathering and is both passive and active. Reviewing the company's website is an example of passive footprinting, whereas calling the help desk and attempting to social engineering them out of privileged information is an example of active information gathering.

Scanning entails pinging machines, determining network ranges and port scanning individual systems.
  1. Information gathering
  2. Determining the network range
  3. Identifying active machines
  4. Finding open ports and access points
  5. OS fingerprinting
  6. Fingerprinting services
  7. Mapping the network
The Seven Steps Of The Pre-Attack Phase

StepTitleActive/PassiveCommon Tools
OneInformation gatheringPassiveSam Spade, ARIN, IANA, Whois, Nslookup
TwoDetermining network rangePassiveRIPE, APNIC, ARIN
ThreeIdentify active machinesActivePing, traceroute, Superscan, Angry IP scanner
FourFinding open ports and applicationsActiveNmap, Amap, SuperScan
FiveOS fingerprintingActive/passiveNmap, Winfigerprint, P0f, Xprobe2, ettercap
SixFingerprinting servicesActiveTelnet, FTP, Netcat
SevenMapping the networkActiveCheops, traceroute, NeoTrace

Saturday, September 3, 2011

Unsafe Password Management Practices

MORTO Windows Worm spread by attacking weak passwords

Did you know that 35% of all data breaches are a result of lost, stolen or compromised personal computers? That means that although companies invest in numerous technologies to protect their information, they have a 35% gap in their security plan on PC’s.

The result of poor password management and insecure systems is all too evident in the press lately with thousands of password breaches for Sony Playstation Network, Gawker media’s sites, RockYou.com and many others.

The new password -guessing Windows worm “Morto” is spread by attacking weak passwords. “Morto” takes advantage of the fact that so many computers, servers and networks secure the front door with a simple hook ‘n’ latch security system. It is not that passwords are insecure, but rather how users pick and manage their passwords.

Morto works by attempting to log in to accounts using a series of incredibly weak passwords, such as “12345,” “admin,” “password,” and “test,” along with some brute-force dictionary guesses. It also attempts overly common logon names, including “administrator,” “admin,” “backup,” and “sql.”

With increasing amounts of personal information available online through social networking sites and other sources, many users are putting themselves at increased risk by using weak passwords based on known things such as the name of a child or partner.

This particular worm highlights the importance of setting strong system passwords